This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Vladimir
Champion
Champion
‎2018-02-21 07:59 AM

R80.10 versioning and Objects

Can someone enlighten me if the policy versioning preserves the configuration of the objects as well?

I.e. If the object was changed on the date after the target policy restore date, which version of the object will be utilized?

Additionally, can you tell me if cloning of the policy does anything to preserve the objects?

7 Replies
Tomer_Sole
Mentor
Mentor
‎2018-02-21 08:54 AM

Hi,

Can someone enlighten me if the policy versioning preserves the configuration of the objects as well?

 

I.e. If the object was changed on the date after the target policy restore date, which version of the object will be utilized?

The R80 architecture automatic revisions preserve the entire configuration - gateway settings, policies, objects, anything that is stored on the security management server. This means that when using Installation History to install a previous revision on the gateway, it will take the entire configuration from the mentioned date.

Now, if you are using the Layer History, then these changes only refer to rule changes - adding, removing and changing rules. Not Objects.

This is why we generally advise to use Installation History for revision management.

Please find more information here:

How do you rollback an old policy? 

can you tell me if cloning of the policy does anything to preserve the objects?

Cloning policies will only clone rules. It will not clone objects. This has been the behavior with our previous versions as well. With R80.10, if the policies contain layers which are shared, when cloning such policies, the shared layers will not be cloned but pointed at. 

Something that clones everything completely is the ExportImportPolicy tool (Python tool for exporting/importing a policy package or parts of it ) even though it may become a little hard to manage...

If one of your use cases for cloning policies is having a "last known good configuration" to install in case of problems, you may want to look at Installation History rather than cloning things. But if you have a different reason I would like to hear.

Vladimir
Champion
Champion
‎2018-02-21 09:01 AM

Thank you Tomer: I'm just trying to keep all the possibilities straight.

Will the situation where reversion to the previous policy where one of the objects was, for instance, a domain controller which configuration or credentials were changed since, produce any kind of warnings?

0 Kudos
Tomer_Sole
Mentor
Mentor
‎2018-02-21 09:52 AM
In response to Vladimir

You mean if the policy installation process identifies an external change that isn't part of the security management configuration? Then in that case it will not alert you. But this is an interesting point, thanks for raising it.

0 Kudos
Vladimir
Champion
Champion
‎2018-02-21 10:04 AM

Not necessarily external change either.

Consider this scenario:

Admin have originally configured Identity Awareness using IA wizard.

Two weeks later, AD Domain administrative (or special account) password is changed and so were the LDAP Account Credentials in the LDAP Account Unit Properties.

Next day, some other change in the policy is causing problems.

Admin is trying to revert to the policy saved Prior to  LDAP Account Credentials alterations.

IA is going down causing even more problems.

Tomer_Sole
Mentor
Mentor
‎2018-02-22 12:18 AM
In response to Vladimir

Actually in that case, installing a revision from the past will install the LDAP account unit settings of the past.

0 Kudos
Vladimir
Champion
Champion
‎2018-02-22 04:55 AM
In response to Tomer_Sole

Exactly. So my question is, in this case, where revision control will impact behavior of the IA, for instance, are there any additional verification or notification mechanisms notifying administrators that this will be the case?

0 Kudos
Tomer_Sole
Mentor
Mentor
‎2018-02-22 07:02 AM
In response to Vladimir

The "view installed changes" button will show you the specific audit logs. So you will know what gets replaced. In that case, you will have to view the installed changes of the version above the one you are installing.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events